The NSA has published new warnings for military and intelligence personnel about the threats from location data that is captured constantly on modern cellphones (originally reported by the Wall Street Journal). While privacy advocates (including us at Purism) have long warned about these risks, having the NSA publish an official document on the subject helps demonstrate that cellphone tracking is a real privacy and security problem for everyone.
We have been thinking about the danger of location data on cellphones for a long time at Purism and have designed the Librem 5 from scratch specifically to address this risk. The NSA document describes and confirms a number of the threats I wrote about almost a year and a half ago when I introduced our “lockdown mode” feature on the Librem 5–a feature that disables all sensors on the Librem 5. In this post I’ll describe the threats the NSA presents in their document and how we address them with the Librem 5.
The first threat the NSA highlights is with cellular location data:
Using a mobile device–even powering it on–exposes location data. Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network … If an adversary can influence or control the provider in some way, this location data may be compromised. Public news articles have reported that providers have been known to sell data, including near-real time location data, to third-parties .
In my lockdown mode post I describe how we designed the Librem 5 with a removable cellular modem and a hardware kill switch to mitigate this threat:
Putting a kill switch in the Librem 5 meant a design unlike many of the existing phones out there that combine the CPU and cellular modem into a single chip. We intentionally split out the baseband onto a replaceable M.2 card. This not only lets you physically remove the baseband altogether, but lets you power it off with a kill switch. If you want to know for sure that your cellphone isn’t tracking you, you can flip the switch and know for certain that it’s off.
The NSA goes on to describe the risk from cell site simulators (aka “Stingrays”):
Location data from a mobile device can be obtained even without provider cooperation. These devices transmit identifying information when connecting to cellular networks. Commercially available rogue base stations allow anyone in the local area to inexpensively and easily obtain real-time location data and track targets. This equipment is difficult to distinguish from legitimate equipment, and devices will automatically try to connect to it, if it is the strongest signal present.
As I mention in my Taking the Sting out of Stingray post:
With the Librem 5 hardware kill switches, you have a convenient way to shut down the cellular modem completely and quickly, yet retain the ability to use the rest of the phone as normal.
The cellular modem isn’t the only device in a phone that presents a risk in terms of tracking. An important fact the NSA highlights in their document is the difference between location services on a phone and the GPS hardware and the fact that WiFi and Bluetooth devices still present a threat even if GPS and cellular data are disabled:
Perhaps the most important thing to remember is that disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure…
Also important to remember is that GPS is not the same as location services. Even if GPS and cellular data are unavailable, a mobile device calculates location using Wi-Fi and/or BT…
Even if cellular service is turned off on a mobile device, Wi-Fi and BT can be used to determine a user’s location. Inconspicuous equipment (e.g., wireless sniffers) can determine signal strength and calculate location, even when the user is not actively using the wireless services.
Or put a different way in my lockdown mode post, this is why the Librem 5 has a hardware kill switch to disable WiFi and Bluetooth:
Like with the camera and microphone, the WiFi and Bluetooth kill switch has even greater significance on a phone than on a laptop. Disabling WiFi and Bluetooth can protect you from external over-the-air attacks if you are in a high-risk area (or a vulnerability comes out for your WiFi or Bluetooth card). Protecting against remote attacks isn’t the only benefit of this kill switch though, disabling WiFi in particular can also protect you from tracking.
Since your phone is in your pocket, your WiFi hardware detects compatible networks nearby as you move around. Even if you don’t associate with the networks around you, the mere fact that your hardware can see them allows the phone (and apps on it) to know you are near those devices. As you move, your distance to those devices changes, which changes the strength of the signal and helps triangulate where you are for any company like Google that has a database of WiFi access points, along with their location. By removing power from your WiFi hardware, you can ensure that any applications that might try to track your location with WiFi are blocked.
The NSA went on to describe the risk that all of the sensors have in a cellphone with respect to tracking:
Even if all wireless radios are disabled, numerous sensors on the device provide sufficient data to calculate location. Disabling BT completely may not be possible on some devices, even when a setting to disable BT exists. When communication is restored, saved information may be transmitted.
In my lockdown mode article I elaborate on some of the specific ways sensors can be used to track you, and how lockdown mode makes it convenient to turn your Librem 5 into a usable portable computer without any sensors:
To trigger Lockdown Mode, just switch all three kill switches off. When in Lockdown Mode, in addition to powering off the cameras, microphone, WiFi, Bluetooth and cellular baseband we also cut power to GNSS, IMU, and ambient light and proximity sensors. Lockdown Mode leaves you with a perfectly usable portable computer, just with all tracking sensors and other hardware disabled. If you switch any of the hardware kill switches back on, the hardware that corresponds to that switch powers on along with GNSS, IMU, and ambient light and proximity sensors.
While the NSA describes a number of software mitigations as part of their guidance, they also make it perfectly clear why relying on software to protect you from tracking is flawed:
If a mobile device has been compromised, the user may no longer be able to trust the setting indicators. Detecting compromised mobile devices can be difficult or impossible; such devices may store or transmit location data even when location settings or all wireless capabilities have been disabled.
This is precisely why even though the Librem 5 lets you disable hardware with software settings, we also provide you with full control over all security- and privacy-sensitive hardware with hardware kill switches.
The NSA even outlines the fundamental privacy and security problems with the data-grabbing app ecosystem:
Apps, even when installed using the approved app store, may collect, aggregate, and transmit information that exposes a user’s location. Many apps request permission for location and other resources that are not needed for the function of the app.
As I describe in Mobile App Stores and the Power of Incentives, we are addressing this problem with the Librem 5 too:
A large part of our work at Purism is focused on creating a healthy, ethical, privacy-preserving alternative to the current mobile app ecosystem. This is one of many reasons why the Librem 5 doesn’t run Android nor iOS but instead runs PureOS–the same secure, privacy-preserving, Free Software Foundation-endorsed operating system that we use on our Librem Laptops and Librem Mini.
While users are free to install any third-party applications they want, applications in our PureOS Store must be free software and protect user privacy. As Purism’s founder and CEO Todd Weaver says: “Every line of code is a moral decision.” Making privacy and free software a default changes the incentives to encourage ethical behavior by developers. It’s much harder to hide tracking features in your application if anyone can inspect the code and create a version that removes those features.
The NSA document ends with a list of mitigations targeted at Android and iOS that revolve around tweaking location settings and app permissions in software and disabling devices in software when they aren’t being used. As the NSA acknowledges, this is imperfect because if the software is compromised, you can’t necessarily trust that those mitigations are taking effect. This is why we think the best mitigation to protect yourself from tracking is with all of the security features of the Librem 5–a phone designed from scratch to protect your privacy, security and freedom.